Backdoor Laws Can't Contain Global Encryption, Says New Report

  • Russell Brandom
  • The Verge
  • February 11, 2016

In recent months, the FBI has been pushing for stronger US restrictions on encryption — but a new report from Harvard's Berkman Center suggests such laws reach only a small portion of the relevant products. Taking a census of 865 different encryption products from around the world, the report finds that roughly two-thirds are produced and distributed overseas, outside the jurisdiction of US law. Germany was the biggest source of non-US crypto, with 112 separate products either for sale or available free. Just over a third of the foreign products make their code available as open source.

"What this demonstrates is that domestic laws regarding encryption backdoors won't work," said respected cryptographer Bruce Schneier, one of three co-authors of the report. "The market is very international, and bad guys can easily switch to foreign encryption products that don't have backdoors."

That doesn't mean US companies are irrelevant. The average webgoer is still far more likely to encounter cryptography designed by Google, Microsoft, Amazon, and PayPal than many of the products studied in the paper, which is part of why US law enforcement is so interested in regulating them. Still, the study makes it clear that no US law can stamp out encryption products entirely, undermining widely criticized FBI concerns over criminals "going dark" without legislative intervention. If the US did pass a law restricting encryption or mandating backdoors, the result would likely be a shift to oversea vendors, the paper concludes. A number of US companies might also move their headquarters to escape the new law.

"Any US law mandating backdoors will primarily affect people who are unconcerned about government surveillance, or at least unconcerned enough to make the switch," the authors write. "These people will be left vulnerable to abuse of those backdoors by cybercriminals and other governments."

Categories: Articles, Text

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.